Protecting text fields from html code

I have a client who has been using a HTML form questionaire for quite sometime.  Recently she's been receiving 2-3 messages a day through this form with the text fields filled out with html code directing here to porn links etc.  

How do I protect the text fields from accepting html code.  They should only accept text only.  It's a simple html form.

Please advise.  Thanks in advance for your input!
rexnkarenAsked:
Who is Participating?
 
netmunkyCommented:
is the problem that she is receiving questions with porn links, or that the questionaire is posting porn links on her website?

to block mallicious code from form submits, there are 2 basic steps you can do:

1) require a captcha. freecap (http://www.puremango.co.uk/cm_php_captcha_script_113.php) is very easy to implement.
2) don't display any user entered data that is not passed through htmlentities (php.net/htmlentities, or other language equivilant). this will change the link to the literal message <a href="....">etc. It doesn't block the spam, but at least it prevents the spammer from getting the backlink they are going for, and prevents you from spending your pagerank on them.

as added steps, you can check blacklists (http://pear.php.net/package/Net_DNSBL/docs/1.3.0/Net_DNSBL/Net_DNSBL.html) or require email validation from users before activating questions/postings.
0
 
rexnkarenAuthor Commented:
The form does not post anything back to the site is only submits via email to my client.  She has been getting them with porn links, talk of incest & msc.  Is it ok to copy & paste her lates email the way it came into her?  It doesn't have any pics or anything.  Just html links.
0
 
netmunkyCommented:
if it is simply just emailing her the information, i would suggest adding the freecap captcha to the form. this will prevent any submitions where the person does not enter what they see in the image

http://en.wikipedia.org/wiki/Captcha
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
rexnkarenAuthor Commented:
Thank you.  I'll check it out and return to update & award points if appropriate...
0
 
rexnkarenAuthor Commented:
At first glance I'm seeing any directions on how to use this software.  ?  I've downloaded but now what?
0
 
netmunkyCommented:
on the HTML form you would include:
<img id="freecap" src="/freecap/freecap.php" /><br/>
<input type="text" name="captcha" id="captcha" /><br/>
Cannot read the image?  <a href="#" onclick="document.getElementById('freecap').
src='/guestbook/freecap/freecap.php?'+Math.random();">Click Here</a><br/>


in the form submission, you would have:
    session_start();
    if( !isset($_POST['captcha']) ||
        !isset($_SESSION['freecap_word_hash']) ||
        $_SESSION['hash_func']($_POST['captcha']) != $_SESSION['freecap_word_hash'] )
    {
      unset( $_SESSION['freecap_word_hash'] );
      die("The word you entered did not match the image.<br/>");
    }


you can give more friendly error messages if you want, but that is the basics.
0
 
rexnkarenAuthor Commented:
0
 
netmunkyCommented:
html is not a PHP file

you can only use freecap if you are using PHP for the form handling. you can not put the PHP source code into a static HTML file.
0
 
netmunkyCommented:
you're also using FormMail.cgi, which I likely to be PERL, not PHP
0
 
netmunkyCommented:
if you're usign FormMail from Matt's Script Archive, check out http://www.formmail.com/captcha/
0
 
rexnkarenAuthor Commented:
I'm going to check it out.  Please don't give up & desert me.  Thank you!  (0:
0
 
rexnkarenAuthor Commented:
Hmm...so, if I want to use the freecap I would need to build a form and submit without formmail?  I guess I'll need to check out how to do that.  Would you be able to write the code to put all this together?  I can write another question so you can have more points.  Is that kosher?
0
 
netmunkyCommented:
you can download sample php form to email script here: http://formtoemail.com/
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.